President Barack Obama issued an executive order Tuesday that seeks to shore up the nation’s cyber-defenses by improving how classified information is shared between the government and the owners and operators of crucial infrastructure, including electric utilities, dams and mass transit.
The long-expected order, which Obama announced in his State of the Union speech, is a stopgap measure that follows Congress’ failure last year to pass legislation to create comprehensive standards for the private sector to help thwart digital attacks. Many Republicans and business leaders had decried that bill as unnecessary regulation, while civil liberties groups warned of privacy concerns.
“We know hackers steal people’s identities and infiltrate private e-mail,” Obama said. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The executive order comes amid growing concern about foreign-based theft of government and other sensitive computer data and sophisticated digital attacks capable of causing physical damage to national infrastructure, from water treatment plants to traffic systems.
A senior administration official, who spoke on condition of anonymity to brief reporters before the announcement, called cyber-attacks “a grave threat to the United States that requires a new approach based on public-private partnerships.”
He said Obama decided to act because the risk remained high and congressional action was uncertain. The president will continue to push for new legislation, the official said.
The order includes two main features. One will expand a program that allows the government to share classified cyber-threat information, including malware signatures, with private companies that pass a security clearance process. The effort now is mostly limited to Internet companies and defense contractors, but it would add crucial infrastructure companies.
“The government provides classified information about cyber-threats to Internet service providers and cyber-security companies ... they use that to protect their customers,” a second senior administration official said. “We’re going to expand the pool of companies that are able to benefit from these cyber-security services.”
The order also requires the National Institute of Standards and Technology, a federal agency, to help write voluntary standards so companies can reinforce their network defenses to detect and repel cyber-attacks.
The U.S. intelligence community is preparing a National Intelligence Estimate on cyber-attacks aimed at the United States. Officials say the classified document will highlight the role of Chinese government entities in stealing American intellectual property through hacking, and will outline other cyber-threats overseas.
U.S. officials believe Iran is behind recent cyber-attacks against American banks, for example, in retaliation for the United States’ suspected role in a cyber-attack on Iran aimed at slowing its nuclear program. Russia is also active in cyber-espionage, U.S. officials say.
Most American infrastructure is controlled by computer networks connected to the Internet, and some of those networks are vulnerable to dangerous hacking attacks, experts say. A cyber-attack on the electrical power grid, for example, could have severe consequences.
“We’re talking about a subset of companies that, if something really bad happens to them in cyberspace, something really bad happens to an awful lot of people,” a third administration official said.
Leon E. Panetta, the outgoing secretary of defense, warned in a speech Feb. 9 that “it is very possible the next Pearl Harbor could be a cyber-attack. That would have one hell of an impact on the United States of America. That is something we have to worry about and protect against.”